Now that Cybaverse has gained access to the network, we look to see what is possible and what a threat actor could access, following a breach.
Yesterday, thanks to the Red Team, Cybaverse conducted a successful Physical Security breach of Santa’s Workshop and obtained access to the internal network.
Different threat actors will have different motives, which means the route and actions they take after gaining access to your network will vary. As we are testing the TTPs the Gruber Group uses, Cybaverse will look to go undetected on the network for as long as possible to obtain full domain administrator rights and compromise the Naughty or Nice list.
The drop box left behind the TV in the ‘Jingle Bells’ meeting room was calling out back to Cybaverse Advanced Threat Operations HQ and gave our security professionals visibility into the internal network of Lapland Industries.
Unfortunately, further scanning on the network again showed that the TV/Entertainment network was segregated from the Tier 1 secure network we needed access to. However, there was a machine on the network that was running remote desktop. This was targeted by the Red Team to conduct another password spray using the address book details uncovered from the phishing campaign.
This resulted in 3 matches, as seen below:
Christopher.elf@laplandindustries.com > Santasworkshop2022!
Alfred.elf@laplandindustries.com > Santasworkshop2022!
Ellie.elf@laplandindustries.com > Santasworkshop2022!
Using these credentials to access the server gave the Red Team the break they needed. The server was accessible from all of the different VLANs in Lapland Industries and therefore could also be used to reach all of them as well. However there was one final stumbling block to overcome before the Red Team could drop their command and control software onto this machine to allow them access to the network they needed:
Many companies have Detection and Response tools such as Defender or CrowdStrike Falcon, which monitor the network for suspicious activities that might indicate the company has been breached or compromised, often proactively stopping common exploits. These tools can be costly and can fall short if threat actors are particularly tenacious.
Luckily Mr and Mrs Claus instructed Cybaverse to conduct their Red Team. CTO, Ian Lyte has written a custom tool which was used to evade antivirus programs with obfuscated payloads.
A few quick configuration tweaks with the tool and an encrypted payload was dropped on the remote desktop server – the callback was received in HQ shortly after.
Around 12 hours after the remote desktop credentials had been compromised, Santa informed us that Password Spraying had taken place on the network and everyone had changed their password. However, an attacker like Gruber Group would have more time and would likely throttle and cease attacks between obtaining valid credentials to remain undetected. Even after detection, the embedded payload was still running on the server giving full access to all of the networks in Lapland Industries.
This enabled Cybaverse to conduct the full compromise of the Naughty or Nice list.
Get the basics right
We’re passionate about the basics, as many cyber attacks rely on misconfiguration, weak passwords, and a lack of patching. When instructed to complete a Red Team, we often find that the basics are what get us the furthest and are some of the most preventable cyber breaches.
Security misconfiguration
Security misconfiguration occurs when security settings are not implemented or are implemented incorrectly. These settings can leave the programs and the organisations utilising them at risk of compromise. Some examples of misconfiguration are
Weak passwords
Covered in Day 5, enabling active directory password protection or ensuring that Multiple-Factor Authentication is enabled for all users can help reduce the effects of password spraying. Create a list of words that are not allowed to be used, such as the company name, months, colours and days.
Patching
Ensuring you install security patches when released by providers or vendors within the appropriate time frame is essential to protect your business against cyber threats. Particularly as once a security vulnerability has been made public, by the release of a patch, developers have looked to produce malicious code within hours to try and catch those who have not yet installed the patch.
Some organisations can struggle to gain visibility on their true patch status, as some patches may appear to have been applied when in fact, they have not been properly implemented. Vulnerability scanners will help detect these. However, if that is not available, businesses should look to supplier documentation on how to identify patch levels and complete manual audits.
Tomorrow we will explain data exfiltration and why it is important that organisations protect their internal data and IP from being extracted.
Now that we have achieved the goal and tested all the TTPs that were outlined in scoping, Cybavese will now put together a comprehensive report on their findings and present this to Mr and Mrs Claus.